Question
Django security settings for App Platform
- Posted on March 9, 2024
- DigitalOcean App PlatformDjangoSecurity
Asked by Siburg
I am running a Django 4.2 application on App Platform. When running the management command to check --deploy I get the following results:
(security.W004) You have not set a value for the SECURE_HSTS_SECONDS setting. If your entire site is served only over SSL, you may want to consider setting a value and enabling HTTP Strict Transport Security. Be sure to read the documentation first; enabling HSTS carelessly can cause serious, irreversible problems. (security.W008) Your SECURE_SSL_REDIRECT setting is not set to True. Unless your site should be available over both SSL and non-SSL connections, you may want to either set this setting True or configure a load balancer or reverse-proxy server to redirect all connections to HTTPS.
Looking at the Django documentation for those settings, however, I see warnings that they may not work if the site is behind a proxy. Using App Platform, I believe that is actually the case. So I would like to understand if, and how, those settings, or related settings, can be used for Django on App Platform.
As a side note, I have read the tutorial How To Harden the Security of Your Production Django Project. But that assumes that I can configure the server myself.
So I would greatly appreciate any recommendations or insights that would work for App Platform specifically.
Thanks in advance.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Featured on Community
Get our biweekly newsletter
Sign up for Infrastructure as a Newsletter.
Hollie's Hub for Good
Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.
Become a contributor
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
Heya,
Your situation is quite common when deploying Django applications on platforms like App Platform, where you don’t have direct control over the server configuration. Here’s how you can handle the warnings
security.W004andsecurity.W008in this context:SECURE_HSTS_SECONDS: This setting enforces HTTP Strict Transport Security (HSTS), which tells browsers to access your site via HTTPS only for a given amount of time. When your Django app is behind a proxy (like in App Platform), the proxy usually handles HTTPS connections, and your Django app might only see HTTP traffic (which is already secure within the internal network).
If you enable
SECURE_HSTS_SECONDS, make sure that HTTPS is already enabled and working on your App Platform setup. You must be certain that you don’t plan to serve over HTTP again; otherwise, users might not be able to access your site if they can only reach it via HTTP.SECURE_SSL_REDIRECT: This setting redirects all HTTP traffic to HTTPS. Like HSTS, if your app is behind a proxy that already redirects HTTP to HTTPS, enabling this in Django could be redundant or might cause issues.